[Webkit-unassigned] [Bug 145275] New: CloudFuzz: *exploitable* Invalid memory access in WebCore::CachedResourceClientWalker
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 21 11:12:37 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=145275
Bug ID: 145275
Summary: CloudFuzz: *exploitable* Invalid memory access in
WebCore::CachedResourceClientWalker
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: koivisto at iki.fi
14/05/15 12:15 Drew Yao:
Opening the attached html file in a debug build of WebKit trunk(r184335) with libgmalloc causes a crash.
Process 66512 stopped
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
51 while (m_index < size) {
52 CachedResourceClient* next = m_clientVector[m_index++];
53 if (m_clientSet.contains(next)) {
-> 54 ASSERT_WITH_SECURITY_IMPLICATION(T::expectedType() == CachedResourceClient::expectedType() || next->resourceClientType() == T::expectedType());
55 return static_cast<T*>(next);
56 }
57 }
(lldb) bt
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
* frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
frame #1: 0x00000001056a1822 WebCore`WebCore::CachedImage::notifyObservers(this=0x0000000164586b80, changeRect=0x0000000000000000) + 66 at CachedImage.cpp:314
frame #2: 0x00000001056a2053 WebCore`WebCore::CachedImage::finishLoading(this=0x0000000164586b80, data=0x000000016c3fffc0) + 547 at CachedImage.cpp:436
frame #3: 0x00000001072d5005 WebCore`WebCore::SubresourceLoader::didFinishLoading(this=0x00000001645a2b00, finishTime=0) + 517 at SubresourceLoader.cpp:371
frame #4: 0x0000000106fcb455 WebCore`WebCore::ResourceLoader::didFinishLoading(this=0x00000001645a2b00, (null)=0x0000000164623fe0, finishTime=0) + 53 at ResourceLoader.cpp:562
frame #5: 0x000000010758c03a WebCore`-[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:](self=0x0000000164633ff0, _cmd=0x00007fff9612ca40, connection=0x0000000164639ff0) + 186 at WebCoreResourceHandleAsDelegate.mm:260
frame #6: 0x00007fff95b7a24d CFNetwork`__65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke + 69
frame #7: 0x00007fff95b7a0b1 CFNetwork`-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 232
frame #8: 0x00007fff95b79fb7 CFNetwork`-[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 48
frame #9: 0x00007fff95b7af74 CFNetwork`___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke + 104
frame #10: 0x00007fff95c2e703 CFNetwork`___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 94
frame #11: 0x00007fff95acfcec CFNetwork`RunloopBlockContext::_invoke_block(void const*, void*) + 72
frame #12: 0x00007fff87568664 CoreFoundation`CFArrayApplyFunction + 68
frame #13: 0x00007fff95acfbad CFNetwork`RunloopBlockContext::perform() + 133
frame #14: 0x00007fff95acf998 CFNetwork`MultiplexerSource::perform() + 282
frame #15: 0x00007fff95acf7ba CFNetwork`MultiplexerSource::_perform(void*) + 72
frame #16: 0x00007fff8759ca01 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #17: 0x00007fff8758eb8d CoreFoundation`__CFRunLoopDoSources0 + 269
frame #18: 0x00007fff8758e1bf CoreFoundation`__CFRunLoopRun + 927
frame #19: 0x00007fff8758dbd8 CoreFoundation`CFRunLoopRunSpecific + 296
frame #20: 0x00007fff919dda59 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 278
frame #21: 0x0000000100002988 parseWebKit`main(argc=3, argv=0x00007fff5fbff5d8) + 4104 at parseWebKit.m:241
frame #22: 0x00007fff890385c9 libdyld.dylib`start + 1
frame #23: 0x00007fff890385c9 libdyld.dylib`start + 1
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150521/6e8e84ff/attachment-0001.html>
More information about the webkit-unassigned
mailing list